I am trying to authenticate my remote access app, I can successfully get the code in the first step but when I send the second post to https://login.salesforce.com/services/oauth2/token I get a 400 Bad Request. Here is the .net code I am using, anyone have any ideas why this might not be working?

public string PostWebRequest(string postUrl, string paramData, Encoding dataEncode)
        {
            string ret = string.Empty;

            try
            {

                byte[] byteArray = dataEncode.GetBytes(paramData);
                HttpWebRequest webReq = (HttpWebRequest)WebRequest.Create(new Uri(postUrl));
                webReq.Method = "POST";
                webReq.ContentType = "application/x-www-form-urlencoded";

                webReq.ContentLength = byteArray.Length;
                Stream newStream = webReq.GetRequestStream();
                newStream.Write(byteArray, 0, byteArray.Length);//写入参数
                newStream.Close();
                HttpWebResponse response = (HttpWebResponse)webReq.GetResponse();
                StreamReader sr = new StreamReader(response.GetResponseStream(), Encoding.Default);
                ret = sr.ReadToEnd();
                sr.Close();
                response.Close();
                newStream.Close();
            }
            catch (WebException e)
            {
                Response.Write(e.Message);
            }
            return ret;
        }

Hi,

We have just received the security review result from you. Our app (Comm100 Live Chat) doesn't pass because of an authorization vulnerability: communications can be made on chatserver5.comm100.com without encryption. I think there might be some misunderstanding here. chatserver5.comm100.com is for visitor-side chatting, which shares no login session with the control panel(hosted.comm100.com) where the Salesforce integration is configured. It will in no way put the API session Id in vulnerability, let alone the Salesforce data.

We are more than willing to do everything as required. But this case is truly special, as it will affect our users in a large degree. Visitor-side SSL encryption was once configurable in our system. Many users are using our chat software on their websites without encryption. If we make encryption required now, it means these users will have to reinstall the code to continue using our chat software, which will bring great inconveniences to their business.

Please kindly help checking it out and let us know if there is a workaround.

PS: I have logged a case and got a response that indicated me developer support was currently available only to premier customers and partners. I was directed to the developer discussion boards.

Thank you very much. Look forward to hearing from you soon.

Celina

Hi,

 

I'm going to run Burp Scan for our integration with Salesforce (Comm100 Live Chat Salesforce Integration, API-only). I'm wondering which part I need to scan, just the salesforce-integration part or the whole part of Comm100 Live Chat? Please guide me to the right direction. Thanks advance.

 

 

Hi all

 

We have developed a  live chat app integrated with Saleforce (Comm100 Live Chat, http://www.comm100.com/livechat/salesforce-integration.aspx). We use API access. Is it a Composite Salesforce app?  How to prepare the security review? Should I request the Burp License here? Should I pay the review fee before Burp License Request here? Our app is not free. 

 

Thanks 

 

 

 

Hi all

 

We have developed a  live chat app integrated with Saleforce (Comm100 Live Chat, http://www.comm100.com/livechat/salesforce-integration.aspx). We use API access. Is it a Composite Salesforce app?  How to prepare the security review? Should I request the Burp License here? Should I pay the review fee before Burp License Request here? Our app is not free. 

 

Thanks